Configuration
All configuration is read from environment variables. Copy .env.example to .env for local development.
Environment Variable Reference
Database
| Variable |
Required |
Default |
Description |
DATABASE_URL |
Yes |
— |
PostgreSQL connection string (e.g. postgres://user:password@localhost:5432/forgejo_tickets?sslmode=disable) |
Server
| Variable |
Required |
Default |
Description |
PUBLIC_ADDR |
No |
:8080 |
Listen address for the public (customer-facing) server |
ADMIN_ADDR |
No |
:8081 |
Listen address for the admin server |
BASE_URL |
No |
http://localhost:8080 |
Public base URL used to construct links in emails and OAuth redirects |
Sessions
| Variable |
Required |
Default |
Description |
SESSION_SECRET |
Yes |
— |
Secret key for signing session cookies and CSRF tokens. Must be a random hex string. |
Generate a session secret:
openssl rand -hex 32
Forgejo
| Variable |
Required |
Default |
Description |
FORGEJO_URL |
No |
"" |
Base URL of the Forgejo instance (e.g. https://forgejo.example.com) |
FORGEJO_API_TOKEN |
No |
"" |
API token for authenticating with the Forgejo API. Needs permission to create issues and comments. |
Both must be set for ticket-to-issue sync to work. See Forgejo Integration for details.
Email (Postmark)
| Variable |
Required |
Default |
Description |
POSTMARK_SERVER_TOKEN |
No |
"" |
Postmark server API token for sending transactional emails |
POSTMARK_FROM_EMAIL |
No |
"" |
Sender email address (e.g. support@example.com) |
Both must be set for email sending to work. Without them, email operations will fail silently in the logs.
OAuth — Google
| Variable |
Required |
Default |
Description |
GOOGLE_CLIENT_ID |
No |
"" |
Google OAuth 2.0 client ID |
GOOGLE_CLIENT_SECRET |
No |
"" |
Google OAuth 2.0 client secret |
Leave empty to disable Google sign-in. Redirect URI must be configured as {BASE_URL}/auth/google/callback in the Google Cloud Console.
OAuth — Microsoft
| Variable |
Required |
Default |
Description |
MICROSOFT_CLIENT_ID |
No |
"" |
Microsoft Azure AD application (client) ID |
MICROSOFT_CLIENT_SECRET |
No |
"" |
Microsoft Azure AD client secret |
MICROSOFT_TENANT_ID |
No |
common |
Azure AD tenant ID. Use common for multi-tenant, or a specific tenant ID to restrict. |
Leave MICROSOFT_CLIENT_ID empty to disable Microsoft sign-in. Redirect URI: {BASE_URL}/auth/microsoft/callback.
OAuth — Apple
| Variable |
Required |
Default |
Description |
APPLE_CLIENT_ID |
No |
"" |
Apple Services ID (e.g. com.example.tickets) |
APPLE_TEAM_ID |
No |
"" |
Apple Developer Team ID |
APPLE_KEY_ID |
No |
"" |
Key ID for the Sign in with Apple private key |
APPLE_KEY_PATH |
No |
"" |
File path to the .p8 private key file |
Leave APPLE_CLIENT_ID empty to disable Apple sign-in. Redirect URI: {BASE_URL}/auth/apple/callback. Note that Apple uses form_post response mode.
Admin
| Variable |
Required |
Default |
Description |
TAILSCALE_ALLOWED_USERS |
No |
"" |
Comma-separated list of Tailscale login names allowed to access the admin panel (e.g. user@example.com,admin@example.com). If empty, all requests are allowed (dev mode). |
See Admin Guide for details on how Tailscale authentication works.